Risk Review
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> We've just gone over the risk management life cycle.
00:00
But because risk is so very
00:00
critical to approaching this exam
00:00
from the proper standpoint,
00:00
I want to take just one more section to really
00:00
reiterate what happens at each stage of
00:00
the risk management life cycle and why it's relevant.
00:00
We start off with risk identification.
00:00
Most important step, you cannot skip identification,
00:00
you have to start here.
00:00
I look at my assets,
00:00
their threats, and vulnerabilities,
00:00
and remember, your threats times
00:00
your vulnerabilities equal the amount of risk you have.
00:00
Not a plug-in the dollars formula, but just conceptually.
00:00
You could also see this formula as
00:00
assets times threats times vulnerabilities.
00:00
Either of those is fine,
00:00
but basically, what am I protecting? What's it worth?
00:00
Look at your threats,
00:00
look at your vulnerabilities,
00:00
and that will tell you what your risks are.
00:00
We don't know what to do with them yet,
00:00
but that will tell me what my risks are.
00:00
This is information that goes in the risk register
00:00
and begins the process of addressing risk.
00:00
But you must start here.
00:00
Now after I know what my risks are,
00:00
in that case,
00:00
now I'm going to move into figuring out how to prioritize
00:00
my risk and figuring out where my time,
00:00
effort, energy goes in relation to risk.
00:00
Where do I spend my time?
00:00
Well, in order to determine that,
00:00
I need a value for risk,
00:00
risk assessments where I get my value.
00:00
Now, in risk assessment,
00:00
risk assessment you can really break up into two pieces.
00:00
You can analyze your risk and get either a
00:00
quantitative or a qualitative value for risk.
00:00
We said qualitative analysis
00:00
gives me subjective information.
00:00
Usually gives me a high, medium,
00:00
low as far as the risk value.
00:00
Quantitative analysis though gives me empirical data,
00:00
often it'll give me
00:00
a dollar value for the loss potential.
00:00
That's more valuable to me to
00:00
make business decisions because I can
00:00
compare the cost of
00:00
the countermeasure up against the potential for loss,
00:00
and I can choose a countermeasure
00:00
that makes sense from a cost-benefit standpoint.
00:00
That's where evaluation happens.
00:00
I take what I learned with
00:00
my qualitative and quantitative analysis to
00:00
get a dollar value for the risk,
00:00
and now I'm going to evaluate the dollar value of the
00:00
potential for loss up
00:00
against the cost of the countermeasure.
00:00
That will let me know what
00:00
mitigation strategies are going to be appropriate.
00:00
If I have a loss potential of $10,000,
00:00
I can eliminate risk solutions or
00:00
risk responses that cost $15,000.
00:00
That's the purpose of your assessment.
00:00
Give me a value that will
00:00
indicate what response is going to be appropriate.
00:00
Now when it comes into my responses,
00:00
as I mentioned before,
00:00
three main types of responses;
00:00
reduce, accept, transfer.
00:00
Reduction lessons, probability, indoor impact.
00:00
Acceptance means you do nothing about the risk,
00:00
but you do nothing because it's a good business decision.
00:00
Often that's because the cost of the countermeasure
00:00
has a greater cost than the potential for loss.
00:00
I can also transfer risks through
00:00
insurance or outsourcing service level agreements.
00:00
Those are the three main ways.
00:00
Sometimes we can avoid risks.
00:00
If the potential for loss is too great,
00:00
then we choose to do something else.
00:00
But out of these,
00:00
risk rejection is not warranted,
00:00
it's not a good business decision.
00:00
Risk rejection is essentially where I ignore
00:00
risk and that leaves me open to liability.
00:00
Then of course, last but not least,
00:00
we continue to monitor for risk.
00:00
We continue to evaluate our controls to
00:00
determine are they meeting our objectives?
00:00
It's really important on this exam to
00:00
take your questions in context of risk management,
00:00
to go through the process.
00:00
When they're asking my choices about,
00:00
which cryptographic algorithm should I use?
00:00
We start back with, what am I protecting?
00:00
What's it worth? What are threats and vulnerabilities?
00:00
What are costs associated with
00:00
the risk versus the cost of the countermeasure?
00:00
I will also mention here,
00:00
like we talked about earlier,
00:00
is that cost cannot
00:00
necessarily always be measured in dollars.
00:00
When you add security,
00:00
it's always going to cost you something,
00:00
it may cost you performance,
00:00
it may cost ease of use,
00:00
it may cause backwards compatibility.
00:00
We have to consider that when we're comparing
00:00
the cost of the countermeasure
00:00
versus the potential for loss.
00:00
Not necessarily can always be measured in dollars.
00:00
When we look at the costs versus the benefits,
00:00
that's going to drive
00:00
our mitigation strategy and how we're going to respond,
00:00
then we get our ongoing evaluation,
00:00
we look for a key risk indicators.
00:00
Make sure you know these phases,
00:00
what happens at each,
00:00
and that you view your questions on
00:00
the exam in context of risk,
00:00
cannot stress enough how important that section is.
Up Next
Instructed By
Similar Content
